Friday, December 30, 2011

A question of trust: the hacking of Root CAs (Certificate Authorities)

Back in March, a root certificate authority named Comodo was hacked, and used by a self-proclaimed Iranian hacker to issue legitimate SSL certificates for a number of sites, including Google, Skype, Mozilla, Live.com and Yahoo. SSL certificates confirm that a secure site really is what it says it is; your browser has a list built into it of certificate authorities that it trusts, so when you visit an SSL site it checks the certificate against the issuer. If the issuer isn't on the list, you get a warning.

If a hacker creates a "fake" certificate from the real authority, then any site is, as far as your computer or phone knows, legitimate if it presents that certificate. The implications for shopping or other interaction are huge: you become vulnerable to a man-in-the-middle (MITM) attack, where someone operates a site using the "fake" certificate between you and the real site. From your end, it's a legitimate SSL site. For the person running it, they can see everything passing between you and the real site. Comodo's dodgy certificates were revoked, but it depended on whether people accepted a browser update as to whether or not they would be protected.

Then in July, the Dutch SSL certificate authority Diginotar (which provided the SSL certificates for thousands of sites including the Dutch government) was hacked, and a number of certificates, including one for Google, issued. These certificates were used for a MITM attack on Iranian users of Google Mail – another indication that web security really does have human consequences.

Many experts now believe that the current SSL CA system is broken. One expert in this area, Moxie Marlinspike, proposes that all of the current problems with the CA system can be reduced to a single missing property, called "Trust Agility", and he has proposed a secure replacement for the existing the SSL CA system called "Convergence".

This story is perhaps the most important thing to have happened to InfoSec in 2011 – and how it is dealt with in 2012 may be crucial.

The loose collective of hackers known as Anonymous were quite busy in 2011. The group first gained widespread attention back in 2008 with their "Project Chanology" raids on the Church of Scientology. One of their symbols, the Guy Fawkes mask (first popularized by the comic book and film "V for Vendetta) has now become instantly recognisable, as well as becoming associated with the Occupy Wall Street movement. Their self description in the form of an aphorism is: "We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us."

Here are some of their more memorable activities of the year ...

* Operations in support of the Arab Spring Democracy movements in Egypt, Tunisia and Libya - Anonymous performed DDoS attacks on eight Tunisian government websites which may have led to an upsurge of internet activism among Tunisians against their government. Anonymous also attacked the websites of the incumbent governments in Egypt and Libya along with the internet censorship methods being used in these countries.

* In February came the attack on HBGary Federal - in retaliation for the CEO's (Aaron Barr) claims of having infiltrated Anonymous, members of Anonymous hacked the website of HBGary Federal, took control of the company's e-mail, dumped 68,000 e-mails from the system into the public domain, erased files, and took down their phone system.

* Next came the attack Sony websites (Operation Sony) in response to Sony's lawsuit against George Hotz and, specifically due to Sony's gaining access to the IP addresses of all the people who visited George Hotz's blog as part of the libel action, terming it an 'offensive against free speech and internet freedom'. Although Anonymous admitted responsibility to subsequent attacks on the Sony websites, Anonymous branch AnonOps denied that they were the cause behind a major outage of the Playstation Network and Qriocity services in April 2011. On May 4, 2011, Sony confirmed that individual pieces of personally identifiable information from each of the 77 million accounts appeared to have been stolen. The outage lasted for approximately 23 days.

* In August 2011, Operation BART was launched in response to San Francisco Bay Area Rapid Transit's shutdown of cell phone service in an attempt to disconnect protesters from assembling violently in response to a police shooting, Anonymous sent out a mass email/fax bomb to BART personnel and organized multiple mass physical protests at the network's Civic Center station.

* Several contingents of Anonymous have given vocal support to the Occupy Wall Street movement, with vast numbers of members attending local protests and several blogs run by members covering the movement extensively.

* In early August, Anonymous launched Operation Syria and hacked the Syrian Defense Ministry website. In September, a group tied to Anonymous appeared on Twitter, calling themselves RevoluSec (Revolution Security). They defaced Syrian websites, including the Syrian Central Bank and other pro-regime sites. Telecomix worked with Anonymous to show Syrians how to bypass the internet censorship put in place by the regime.

* Operation Mayhem: on November 18, Anonymous released a video claiming to have released the "Guy Fawkes Virus" on Facebook and that they will release it on Twitter soon. The first reason claimed for its release was to protest the violence of the police force against Occupy Wall Street protestors, the second was to protest the Stop Online Piracy Act and the third reason was to counter anyone who claims to be against Anonymous.

At Black Hat USA, SCADA security researcher Dillon Beresford gave one of the most alarming public demonstrations of the fragility of security in power control systems. Beresford, a researcher with NSS Labs, demonstrated how a backdoor in Siemens industrial control systems let him get inside, capture passwords and reprogram PLC logic such that he could shut down the systems altogether or cause them to eventually crash. He had initially postponed a presentation earlier in the year on his vulnerability finds due to concerns about possible risk to human life. Remember that the same Siemens industrial control systems were targeted successfully by the Stuxnet worm in 2010, which infected several Iranian nuclear facilities with devastating effect by making use of custom a PLC rootkit along with several zero-day vulnerabilities and fake SLL certificates from two compromised CAs.

SCADA security expert Jerome Radcliffe, a diabetic, had become curious about the security of the devices that keep his blood sugar in check. So he started studying how continuous glucose monitors (CGM) and insulin pumps could be hacked, and discovered that at least four models of insulin pumps sold by Medtronic can be hacked wirelessly.

An attacker could remotely disable the pumps or alter the insulin dosage that's automatically delivered to the user. Radcliffe demonstrated that a hacker could illicitly turn off the pump remotely, with the device offering only a small chirp as a response, and also remotely manipulate any setting on the pump without the user's knowledge. "It's basically like having root on the device, and that's like having root on the chemistry of the human body," he said. It was a frightening but enlightening find given the life-or-death consequences. Radcliffe was also able to disrupt and jam the GSM devices.

For around US$6,000, security researchers Mike Tassey and Richard Perkins built a radio-controlled model airplane with an onboard computer running linux with 4G connectivity that could be used as a hacking "drone" to wage aerial attacks on targets that are unreachable on land. They brought their Wireless Aerial Surveillance Platform (WASP) to Las Vegas for Defcon to demonstrate the potential threat of "warflying."

Security researcher Charlie Miller demonstrated this year that the embedded controllers on laptop batteries are hackable. Miller found that Apple's laptop battery has two hardcoded passwords that could be exploited to make changes to the smart battery system's firmware. The passwords are a way for Apple to update the firmware, but they also leave it wide open for abuse. Miller disassembled his MacBook's batteries and found that Apple uses one default password to unlock the battery and another to access the firmware. If an attacker were to obtain those passwords, then he could eavesdrop on any communication between the battery and the laptop, as well as inject malicious code.

Australian security consultant Daniel Grzelak made an unexpected discovery as he searched for publicly accessible databases containing e-mail address and password pairs. The entire user database of Groupon's Indian subsidiary Sosasta.com including cleartext usernames and passwords was accidentally published to the Internet and indexed by Google.

Grzelak used Google to search for SQL database files that were web accessible and contained keywords like "password" and "gmail". "A few hours and tweaks later, this database came up," he said. "I started scrolling, and scrolling and I couldn't get to the bottom of the file. Then I realised how big it actually was."

As a side project, he created shouldichangemypassword.com, a website that allows any Internet user to search a database of known-compromised e-mail address and password pairs to see if their password has been compromised. Grzelak was searching for more compromised accounts to add to the website's database when he stumbled across the Sosasta database.

Australian information security professional Patrick Webster had noticed his pension fund, First State Superannuation, allowed logged in members to access online statements via a "direct object reference" bug - one which is included in OWASP's infamous top ten list of Web Application security bugs. Sure enough when Webster incremented the document ID number in the URL linking to his super statement, up popped another member's statement. The details revealed on the statement were a fraudster's dream, including full names, addresses, email addresses, membership number, age, insurance information, pension amount, fund allocations, beneficiaries and employer information.

First State’s response to being quietly tipped off by Webster with his valuable information was extremely stupid, which is why it attracted a large amount of media attention ... they got police and lawyers involved to threaten Webster with arrest and also issued him a bill for the amount it would cost to fix the bug, then demanded access to his computer equipment.

After the storm of controversy following their heavy handed approach, they backed down from their stance but are now facing an investigation by the Australian Federal Privacy Commissioner as to why the security vulnerability was out there, undiscovered, for a period of 18 months or more. The fund's contracts with Australian government departments, such as ASIO (Australia's CIA), were also looking a little bit shaky.

There's war driving, and then there's war texting. Security researcher Don Bailey discovered how simple it is to remotely disarm a car alarm system and control other GSM and cell-connected devices: He showed off his find by remotely starting a car outside Caesars Palace in Las Vegas during the Black Hat USA and DefCon shows.

A 10-year-old girl who attended the inaugural DefCon Kids conference within the DefCon show this year nearly stole the show with her hack. "CyFi" said she was getting bored with her favorite mobile gaming app, so she came up with a neat trick to switch the time on her device to make it more challenging. What she didn't realize at first was that she had actually discovered a whole, new class of zero-day bugs across multiple tablet and smartphone operating systems. "I wasn't making enough progress, so I was trying to find a way around that ... to turn the time forward on the device," she said. It wasn't until her mom caught wind that CyFi had found a way to game her game that things got real. Her mom, a seasoned DefCon attendee, knew this was more than just a clever child's trick: CyFi had basically found a way to restart the clock on a mobile gaming app's free trial. "She's going out of the app, and switching the time on the device, and then she goes back in her app," her mom said.

Sunday, October 2, 2011

1. Never Stop Learning and ReadingRead books, not just websites.Read for self-improvement, not just for the latest project.Read about improving your trade, not just about the latest technology.
Some of the books listed here would be a good start: The most influential programming books of all time

2. Work With People Smarter Than Yourself
Working with smarter and/or more experienced developers will teach you a great deal.

3. Become a Polymath (or 'Jack-of-all-Trades')
Decide to be a 'Jack-of-all-Trades', allowing you to avoid becoming 'pigeon-holed' into one specialty, which can stagnate your programming skills, as well as hurt your future employment prospects.

4. Read and Document Other People's Code
Writing code is significantly easier than reading someone else's code and figuring out what it does.

5. Get Programming Experience on a Real Project
There is nothing like getting in and coding, especially under pressure - work on a real project, with real fickle customers, with real, ever-changing requirements and with real engineering problems.

6. Teach Others About Programming
This will force you to understand something at a completely different level, since you have to explain it to someone else.

7. Learn One New Programming Language Every Year
One year gives you enough time to get past the basics - it pushes you towards understanding what's beneficial in that language, and to be able to program in a style native to that language.

8. Complete One New Pet Project Every Year
Start a "pet" project and follow it to completion and delivery; a good pet project will push your boundaries and keep you interested.

9. Learn Assembly Language
Learning a low level language like assembly gives you insight into the way computers 'think' without any high-level abstractions; the elegance at this level is surprising.

10. See Your Application From the End User's Perspective
Interact with the end-user to see, through their eyes, how they use the software; end users are typically not technical, and they often see software as a magical piece of work, while you see software as a logical set of steps.

11. Start a Physical Exercise Program
You work a whole lot better when you're in good physical shape - problems become easier and less overwhelming, wasting time is much less of a temptation, you can think clearer, and working through things step by step doesn't seem an arduous task.

12. Learn Touch Typing
Learning to touch type is a quick and effective way to give your productivity a boost as a programmer.

Sunday, September 25, 2011

HOW TO: Gain access to a Windows Server 2008 running RAID when the local administrator password is forgotten

The original problemThe IT team was diagnosing an issue with all inbound connections being rejected to a Windows 2008 server machine (a dual quad-core Dell Poweredge running 4 disk RAID PERC 6/i). It turned out the problem was that Windows Firewall was setup as using the "public" profile for its firewall rules.

Since the server should have been assigned to the "domain" profile for the firewall rules, and it seemed like the machine was not on the domain, the IT team decided it would be a good idea to "bump" the server onto the domain, that is, take it off the domain and then re-add it to the domain. Unfortunately the server ran the accounting software (including payroll) for the company. Also, the domain controller was administered in a country half way around the world, such that any access to higher up IT support would have had to wait another 12 hours or so.

The new problem
The IT team didn't have the local administrator password for the server. And since they had now taken the server off the domain, it could no longer be accessed using the domain user and password combination that they had always used in the past. But nobody in the company knew the local administrator password for the machine. In 14 hours time the company's payroll would need to be processed and there was no way to access the application server running the accounting software. If there's anything that motivates people to work hard its the possibility of not being payed their wages due to a technical issue.

The admin password, it now seemed, was just lost forever. About this point I came upon the following Q&A post on the excellent ServerFault.com ...

There is two main types of free linux-based "boot crackers" which crack windows machines by booting a custom version of linux with a limited user interface ...

Type 1: Rainbow Table Cracker
A boot cracker that brute forces passwords using lookup tables (rainbow tables). This type does not need to actually change the file system of the machine, but just reads the encrypted Windows SAM (Security Accounts Manager) password file from the machine and cracks it using lookup tables to gain access to the administrator password. Various comments on forums generally say that in most cases this will succeed, and will take no more than a few minutes.

Type 2: Password Reset Cracker
A boot cracker that resets the local administrator password on the machine. This type just clears the password and in doing so has to write to the file system. For this reason it is considered a little more risky. Also that fact that if the EFS (Encrypted File System) is being used, then it can result in the password not being cleared but actually being scrambled, and furthermore, irretrievable.

Using the cracker
I initially decided to try ophcrack since it was type 1, and didn't write back to the file system. This seemed initially to work like a charm, booting first time into its linux GUI, but when we tried to mount the file system (which was 4 disk RAID) we realised that the PERC 6/i RAID controller wasn't recognised by the cracker's linux distro. The linux command "fdisk -l" only listed one drive - that of the DVD-ROM drive which the cracker booted with - so it didn't have access to the RAID file system.

Success!
So onto the next option; using a type 2 cracker called "NTPASSWD" - we burnt the files to a CD-ROM and booted. This one has a command line only interface, but it worked like a charm - booted first time and had access to the RAID file system. It listed all the local users on the system. So we selected which one to clear the password for (Administrator) and this was all that was needed. Hey presto, restarted the machine and no login was needed - it had worked!

If this one hadn't worked, there was one final cracker that I probably would have tried, a commercial cracker, here, that boots in a "Pre-installation" version of Windows and claims to support all major RAID controllers and hard disk hardware around. The cost was something like $199 but this would have been well worth it if the other free crackers hadn't worked.

Sunday, September 18, 2011

Here is my list of what I believe are ten of the best books about hackers in real life. All of these include descriptions of actual events, and the personalities involved in hacking. Feel free to post your alternative suggestions in the comments section below. For a brief description of each one please check this page out here. Enjoy!

Widely considered one of the best practical guides to programming, this book has been helping developers write better software for more than a decade. The second edition was updated with leading-edge practices and hundreds of new code samples, illustrating the art and science of software construction. Capturing the body of knowledge available from research, academia, and everyday commercial practice, McConnell synthesizes the most effective techniques and must-know principles into clear, pragmatic guidance. No matter what your experience level, development environment, or project size, this book will inform and stimulate your thinking, and help you build the highest quality code.

The Pragmatic Programmer: From Journeyman to MasterBy Andrew Hunt and David Thomas
Published: October 30, 1999
Publisher: Addison-Wesley Professional
Amazon Link: here

Like any other craft, computer programming has spawned a body of wisdom, most of which isn't taught at universities or in certification classes. Most programmers arrive at the so-called tricks of the trade over time, through independent experimentation. In The Pragmatic Programmer, Andrew Hunt and David Thomas codify many of the truths they've discovered during their respective careers as designers of software and writers of code. The cool thing about this book is that it's great for keeping the programming process fresh. The book helps you to continue to grow and clearly comes from people who have been there.

Teaches readers how to program by employing the tools of abstraction and modularity. The authors' central philosophy is that programming is the task of breaking large problems into small ones. You will learn a thing or two about functional programming, lazy evaluation, metaprogramming (well, metalinguistic abstraction), virtual machines, interpreters, and compilers. The book was originally written for the famous 6.001, the introductory programming course at MIT. It may require an intellectual effort to read, but the reward is well worth the price.

Concise and easy to read, it will teach you three things: the C programming language, how to think like a programmer, and the C abstract machine model (what's going on "under the hood"). Co-written by Dennis Ritchie, the inventor of the C programming language.

Introduction to Algorithms, the 'bible' of the field, is a comprehensive textbook covering the full spectrum of modern algorithms: from the fastest algorithms and data structures to polynomial-time algorithms for seemingly intractable problems, from classical algorithms in graph theory to special algorithms for string matching, computational geometry, and number theory. The revised third edition notably adds a chapter on van Emde Boas trees, one of the most useful data structures, and on multithreaded algorithms, a topic of increasing importance.

Refactoring is about improving the design of existing code. It is the process of changing a software system in such a way that it does not alter the external behavior of the code, yet improves its internal structure. With refactoring you can even take a bad design and rework it into a good one. This book offers a thorough discussion of the principles of refactoring, including where to spot opportunities for refactoring, and how to set up the required tests. There is also a catalog of more than 40 proven refactorings with details as to when and why to use the refactoring, step by step instructions for implementing it, and an example illustrating how it works The book is written using Java as its principle language, but the ideas are applicable to any OO language.

Design Patterns is a modern classic in the literature of object-oriented development, offering timeless and elegant solutions to common problems in software design. It describes patterns for managing object creation, composing objects into larger structures, and coordinating control flow between objects. The book provides numerous examples where using composition rather than inheritance can improve the reusability and flexibility of code. Note, though, that it's not a tutorial but a catalog that you can use to find an object-oriented design pattern that's appropriate for the needs of your particular application--a selection for virtuoso programmers who appreciate (or require) consistent, well-engineered object-oriented designs.

Few books on software project management have been as influential and timeless as The Mythical Man-Month. With a blend of software engineering facts and thought-provoking opinions, Fred Brooks offers insight for anyone managing complex projects. These essays draw from his experience as project manager for the IBM System/360 computer family and then for OS/360, its massive software system. Now, 20 years after the initial publication of his book, Brooks has revisited his original ideas and added new thoughts and advice, both for readers already familiar with his work and for readers discovering it for the first time.

The bible of all fundamental algorithms and the work that taught many of today's software developers most of what they know about computer programming. One of the book's greatest strengths is the wonderful collection of problems that accompany each chapter. The author has chosen problems carefully and indexed them according to difficulty. Solving a substantial number of these problems will help you gain a solid understanding of the issues surrounding the given topic. Furthermore, the exercises feature a variety of classic problems.

Known to professors, students, and developers worldwide as the "Dragon Book," the latest edition has been revised to reflect developments in software engineering, programming languages, and computer architecture that have occurred since 1986, when the last edition published. The authors, recognizing that few readers will ever go on to construct a compiler, retain their focus on the broader set of problems faced in software design and software development.

Sunday, August 28, 2011

Earlier this year the online banking malware ZeuS trojan's source code was leaked. One of the predictions made by security researchers at the time was that the leaked code would be used by independent malware developers, who would explore it and develop their own hybridized versions of ZeuS, adding custom features and advancements to it.

A new trojan was briefly presented to cybercriminals in the Russian-speaking underground in late April 2011 (as v1.0.0). The developer who wrote the new trojan, and named it "Ice IX", openly declared that he developed his new trojan based on the ZeuS v2 source code, and in doing so allegedly perfecting flaws and bugs he believed needed fixing to improve the product's value to its cybercriminal customers.

What's in a name: the meaning of "Ice IX"
The naming of Ice IX is quite interesting; there are a number of sources from which the developer could have been inspired to name the new trojan Ice IX. I've listed these in order from "most likely" to "least likely" to have been the inspiration.

Ice 9 is a fictional computer virus from the film "The Recruit" (2003). The malware, named Ice-9 in tribute to Kurt Vonnegut's ice-nine (see item no. 8 below), would erase hard drives and travel through power sources which are not protected; possibly erasing data from every computer on Earth.

Ice 9 is an album by Russian rock band Smyslovye Gallyutsinatsii, two songs from which won the Russian Golden Gramophone award twice. The band is also known under a much shorter name "Glyuki", a slang term, which means basically the same as the long name: glitches in your brain. More: http://en.wikipedia.org/wiki/Smyslovye_Gallyutsinatsii

ICE is a well known cyberpunk reference to "Intrusion Countermeasures Electronics" - software which works to prevent intruders/hackers/cyberpunks getting access to sensitive data. It is "visible" in cyberspace as actual walls of ice, stone, or metal. Black ICE refers to ICE that are capable of killing the intruder if deemed necessary or appropriate; some forms of black ICE may be artificially-intelligent. More: http://en.wikipedia.org/wiki/Intrusion_Countermeasures_Electronics

In cryptography, ICE (Information Concealment Engine) is a block cipher published by Kwan in 1997. The ICE algorithm is not subject to patents, and the source code is in the public domain. More: http://en.wikipedia.org/wiki/ICE_(cipher)

The term ICE, referencing the cyberpunk usage, has been adopted by some real-world security software manufacturers: BlackICE, security software made by IBM Internet Security Systems. Black Ice Defender, security software made by Network ICE. Network ICE, a security software company.

On April 28, 2009, the Information and Communications Enhancement Act, or ICE Act for short, was introduced to the United States Senate by Senator Tom Carper to make changes to the handling of information security by the federal government, including the establishment of the National Office for Cyberspace. More: http://www.opencongress.org/bill/111-s921/show

Ice IX is a form of solid water stable at temperatures below 140 K and pressures between 200 and 400 MPa. It has a tetragonal crystal lattice and a density of 1.16 g/cm³, 26% higher than ordinary ice. It is formed by cooling ice III from 208 K to 165 K (rapidly—to avoid forming ice II). Its structure is identical to ice III other than being proton-ordered. More: http://en.wikipedia.org/wiki/Ice_IX

Ice-nine is a fictional material conceived by writer Kurt Vonnegut in his 1963 novel "Cat's Cradle". It is different from, and does not have the same properties as, the real-world ice polymorph Ice IX; existing, for example, as a stable solid at room temperature and regular atmospheric pressure. More: http://en.wikipedia.org/wiki/Ice-nine

Ice 9 is a song by Joe Satriani from his album Surfing with the Alien.

Wow, bet you never knew there was so many references to ICE and ICE 9 in the world right? !! So ... back onto the Malware form of Ice IX...

Tracker Evasion
The new feature considered most valuable by Ice IX's developer is the implementation of a defense mechanism designed to evade Tracker sites, which he managed to implement in version 1.0.5 of the Ice IX trojan. Repeatedly stressed by Ice IX's developer, his buyers will finally be able to sidestep what has apparently become quite the hurdle for cybercriminals - ZeuS and SpyEye trackers. The two main tracker sites, "ZeuS tracker" and "SpyEye tracker" are operated by a Swiss-based organization which monitors and reports malicious C&C (Command and Control) servers to web users, service providers, CERTs and law enforcement agencies. Ice IX's developer claims that the evasion mechanism means the malware can be hosted on standard (legitimate) hosting servers, as opposed to having to use so called "bulletproof" servers which are expensive and typically operate specifically to service cybercrime-based customers.

A Better Injection Mechanism
The injection mechanism refers to how the malware is able to "inject" code and data into the webpage of an online banking site while the user is actually using the site in order to alter the function of the page. Typically ZeuS has had problems when injecting into javascript and also had difficulty maintaining original look and feel of a page when CSS was used. Ice IX seems to have overcome some of these issues, giving the malware a much better success rate.

Marketing the Malware
Extracts from the original text posted by Ice IX's developer in a Russian forum, translated to English:

Ice 9 is a new private Form Grabber-bot based on ZeuS, but a serious rival to it. Built on a modified ZeuS core, the core was re-worked and improved. The bypassing of firewalls and other proactive defenses was perfected. Moreover, the injection mechanism has been improved, allowing much more stability for the injections. The main purpose of this trojan was to counteract trackers, raising the conversion rate and the bots' TTL (time to live), as compared to its predecessor. These features were successfully implemented as we constantly work to further improve the code.

Main Functions

Keylogging

HTTP and HTTPS Form Grabbing, injecting its own code into IE and into IE-based browsers (Maxton, AOL, etc..), as well as Mozilla FireFox.

Real-Time screenshots, plus the option to automate taking screenshots while the bot browses to preset URLs

Grabs certificates from MY storage space and clears storage (certificates marked as “Non-Exportable” cannot be exported correctly). Once cleared, all new certificates will be sent to the bot master's C&C server.

Upload specific files from the infected machine or perform searches on local disks enabling wildcards.

TCP protocol traffic sniffer

Elaborate set of commands to control the infected PCs

Advantages

Protected from trackers¹

Host your botnet with conventional hosting, not needing bulletproof servers, which will save you loads of money.

Developing more modules and features may be negotiated per the client’s request.

¹ By trackers, the developer means the ZeuS tracker and SpyEye tracker: Swiss-based Anti malware organizations.
² Bot conversion rate is the ratio of the number of bots which actually communicate with the C&C server divided by the total number of bots infected.

Licensing and Prices for Version 1.0.5

BASIC LICENSE: Trojan with hardcoded C&C server: $600. You get the Bot + the Builder that generates the configuration file.

COMPLETE LICENSE: Open Trojan with unlimited Builder license: $1,800

Ice IX is offered at a lower price than what one would have paid for a comparative ZeuS kit or a SpyEye kit (SpyEye is still being sold for an approximate $4,000 USD today). According to earlier posts about Ice IX an open license to the first version v1.0.0 was sold for $1,500.

Upcoming EnhancementsIn an English-speaking online forum, the trojan's developer gives potential buyers a glimpse into what will be included in the next upgrade:

HTML & JavaScript injections that will work on the Firefox browser.

A function that will block the SpyEye trojan on Ice IX-infected PCs (this sounds exactly like the 'Kill ZeuS' feature of SpyEye).

As with ZeuS, Ice IX will encrypt communication with the C&C server, using a different encryption algorithm to ZeuS.

Review of Ice IX by another Cybercrime Vendor
After the posting of Ice IX, another vendor selling HTML injections offered his stamp of approval of the Ice IX trojan. The new Ice IX buyer had some opinions on the injection mechanism of Ice IX:

JavaScript files are easily injected, and you can’t say that about ZeuS

CSS files are successfully injected; it appears that Ice IX supports the use of Cascading Style Sheets in the process of integrating injected content into the original website's look and feel. This improvement steps-up the appearance of injected content and web page replicas.

The order of data_before, data_after, data_inject blocks plays no role. The trojan understands them in any block order. When referring to data_before / data_after blocks, the fraudster is speaking of the delimitations that must be specified to a web injection. For example:

Data_before: When a login set requires username, password and secret question, the data_before is all three sets

Data_inject: The additional data that the fraudster would like to inject into the page

Data_after: The lower limit field of the data the trojan looks for

In the ZeuS trojan's injection mechanism, these three blocks had to come in a specific order. Using Ice IX, the order no longer matters; the trojan understands what it has to locate and inject. This means that the new injections are more fail-tolerant than the way they were used in ZeuS. Other changes applied to the code also aim to facilitate ease of functionality, rendering Ice IX more tolerant in a sense, where the use of wildcards in URL names does not slow page loading and case-sensitive search terms could be incorporated into the data fields searched by the trojan.

Conclusion
So we can expect that from now on, more new banking malware will be based on ZeuS (and SpyEye) code. New malware developers, hoping to profit from cybercrime, will attempt to create their own new alternatives based on this source with the addition of incremental improvements over the older versions.